Posted
by
Soulskill
on Monday October 04, 2010 @05:21PM
from the wonder-what-this-does-when-it-detects-torrents dept.

eldavojohn writes "Comcast is pushing a new program nationwide that warns customers if they might have a bot infection. It puts a semitransparent overlay on the top of the website you're viewing, warning you that you may have a bot installed if the provider detects botnet traffic from your residence. Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."

Customer education is an issue with this one. I haven't talked to someone with that issue but we offer free Norton with internet service so there's no reason you can't protect yourself from some of the common threats. The thing that gets most people though is the drive by bots. People have to abandon the plug and play web mentality as that's what gets them in trouble. One person told me she got a pop up telling her that the computer was infected with 45 viruses. I'm like WTF?? but they fall for it all the time. Education is the only thing that can fix that problem.

One person told me she got a pop up telling her that the computer was infected with 45 viruses.

A thought that just struck me - if Comcast is using web overlays to pass on this info, it will, if anything, serve to legitimise the "Your computer is infected click here and give us your credit card details to fix it" pop-ups.

An email to the address they have on file would be much less creepy and more effective, IMO.

Something like "HEY, YOU, Customer #4572953, have a virus and this is your ISP, Comcast, telling you so. Please call our tech support at 1-888-IPGOUGE for removal help, and you should probably verify that phone number against your own documents before calling it."

And all the people who use ISP-independent email (which is good practice anyway as an ISP change will be easier) won't even receive it.

Having said that, the overlay is about the worst way they could have used the WWW.

What about a redirection of all www traffic to a warning page?

After you click a checkbox that says OK I got it but I'm in a hurry let me finish surfing which sets a session cookie, or after n http requests or n minutes since the first recent http request normal behavior would be restored.

I don't know about you. But as soon as I realize it is a call from an autodialer, I hangup.

One trick if you don't recognize the caller ID is to pick up the phone and just listen. If it's complete silence on the other end, it's an autodialer and it will hang up after five seconds or so. Bonus points if you play the "number not in service" tone -- download that from here [voip-info.org] and play the "ss-noservice" file.

I just play a message telling the caller to press 1 to speak to me, wait 3 seconds then send them to the fax if they don't press any key. Actually, pressing any key routes the call to me. I swear, it is pretty efficient.

Playing the SIT tone (Zapateller) as you suggest might cause you to miss legitimate calls. In my case, the worst that happens is that legitimate callers have to call twice if they were distracted and not quick enough to punch in a key the first time.

Many of comcast's cable customers are also phone service customers, they could just unobtrusively add a voicemail message to those accounts.

And I don't see why they shouldn't be able to send voicemails out-of-network, too. There's no reason the phone needs to actually ring for this, if it's in your voicemail you'll get the message eventually.

If the customer fails to address the issue promptly, then Comcast should disable their connection. When they call in, Comcast could easily ask them for a email address to forward such communications to.

I work for an ISP and this is how we handle it. (Of course, we're small, so we also call the customer on the phone number(s) on their account.)

Comcast cannot be trusted to not "mistake" torrent traffic for virus traffic, especially if the MAFIAA tried to either bribe OR extort them to tell their techies to look the other way before being able to tell the difference.

They've already been caught red handed screwing with torrents once before. Giving them plausible deniability with an opportunity to cover it up as virus quarantine is not a good idea.

A thought that just struck me - if Comcast is using web overlays to pass on this info, it will, if anything, serve to legitimise the "Your computer is infected click here and give us your credit card details to fix it" pop-ups.

Any thoughts from people who know more than me as to whether comcast just didn't think of this, or did and just doesn't care? On the one hand, they are comcast and don't have a reputation for forward thinking. On the other hand, they are comcast and don't have a reputation for giving two shits about their customers.

Any chance this is just the path of least resistance to say "Hey, we tried to help, but you ignored our warnings, the malware took you over your quota and you owe us $400," not caring if the us

What about a phone call? My ISP does this. Granted, it only has about 1.5 million customers. The way it goes is first, a phone call, if they are unable to talk to the person, they disable the modem until they call back. They only do this for large botnets, unless they receive a complaint about an IP.

But it *IS* effective.

Overlays and emails will only teach people to click on fake antivirus warnings, like you said...

Noob. An expert would have read the second half of the sentence: "... and the only reason they would want to is so they can figure out how to uninstall it." Because, as you now know, uninstalling it makes this wonderful 'whoosh' sound.

Yeah. The only AV that I've seen that's anywhere as bad as Norton is CA. I still can't get that off my GF's computer. I've spent 3 hours already. Norton Corporate is awesome. Nobody should have to deal with Norton Home. Ever. It's cruel and unusual punishment.

Customer education is an issue with this one. I haven't talked to someone with that issue but we offer free Norton with internet service

What is wrong with you? No, really? Have you actually used the recent Norton versions? I reckon a fair share of those who actually have would agree that Norton's presence on one's PC is actually worse than most malware infections.

Douglas said the bot intelligence is coming from Damballa, an Atlanta-based security company that monitors botnet activity and identifies botnet control networks. If Damballa spots a Comcast Internet address that is phoning home to one of these botnet command centers, Comcast’s system flags that customer’s address for a service notice.

If they weren't "inspecting" traffic then the internet wouldn't work. How else would you route data from one computer to another without inspecting the traffic to see where the data needs to go? This same level of data can also tell you if the computer is a bot. For instance if your computer is only sending data to a port 25 to seemingly random hosts continuously for days, take a guess at what is happening, it's likely to only be one of two things. Same thing for suddenly getting a lot if 100% identical req

You're right to feel leery. Comcast should not be altering the content of your web pages AT ALL. In addition, the effectiveness of this tactic over time is questionable: Malware and scam artists are already using popup-style alerts.

The canvas of a web page is simply the wrong context for security alerts. An email would be a bit better, and a US mail postcard or phone call would be better still.

I saw this one video where the bot was basically pulled right out of the infection with tweezers. In another, the bot broke off halfway out and the guy had to have the rest removed by a surgeon, but not without great pain.

Normal insecticide and pest repellent doesn't even work with these things. You really need to keep your netting clean and free of holes. One small hole and you'll wake up with bots dug into your skin and larva chewing at your subcutaneous layer of fat.

Just wait till the YOUR PC IS INFECTED crowd picks this up, they are going to have a field day with this.
In my opinion people should get a warning next time they pay their monthly fee and if they do nothing about it maybe a stupid-tax or something.

Comcast is creating a system where unrelated websites will notify you of problems in your computer. This is the "Virus detected click here to install antivirus 2011!", except being legitimate it tells people to trust what a random website tells them. Way to train users to trust any website popup, I expect this will result in new phishing scams.

The only upshot is that the people who are infected are often the ones who already install anything that a popup warning tells them to.

The method they chose for notification is to man-in-the-middle my connections? Are they injecting Javascript into sites I visit? Does this mess with protocols other than HTTP? Why can't they just send an email to the account holder, or call them with a recorded message? Why break your service in order to fix it?

I think this is a good method. It's a lot harder to ignore than other ways that you've suggested (how much of an automated phone message would you listen to if it started as "This is a courtesy call from Comcast internet services..."). HTTP also a service that people are more likely to use every day, and there's little chance that an errant spam filter will block it.

A risk - in theory - is that when people see this popup, they'll say "I'm supposed to not interact with these things" and just click "Close," rather than understanding what it says. On the other hand, if your computer is infected with some sort of 'bot, you probably click through things like this anyway.

1. By definition, an internet service provider IS a man in the middle. To everyone whining about using this method - welcome to the real world. A man in the middle approach is the easiest one for the man in the middle to take.2. Perhaps the ISP should just terminate the accounts of users of infected machines, since I am sure running an infected machine on the net is a violation of the TOS somewhere.

I WANT them to break the service and force people to upgrade, instead of continuing to spew their filthy zombie attacks all over the net. The more dramatic and attention getting, the better. Face it - your mission critical systems should not be on a residential account anyway, RIGHT? That's what the premium priced business packages are for... So what if grandpa has to click on some links to download some software and fix his machine before he can read his paper today. It's worth it to clean up the net.

1. By definition, an internet service provider IS a man in the middle. To everyone whining about using this method - welcome to the real world. A man in the middle approach is the easiest one for the man in the middle to take.

No. By definition, an internet service provider is a bridge and router. It is not supposed to mess with your traffic. It is not supposed to be looking at these layers. Comcast has shown many times they don't care about that, though. They messed with all H

I'd guess Comcast isn't sending an email at least in part because a healthy percentage of their customers don't use Comcast's crappy email service.

I still think this is a gross and intrusive tactic, but so is how they hijack DNS redirects to show you a custom "search" page with ads on it. At least they give you an option [comcast.net] of turning that "service" off.

If your IP is not on the list of infected customers, they won't affect you. But, if it is, they redirect your port 80 traffic to their proxy server that injects the HTML. Specifics, like how it does the overlay, I don't know. Maybe it wraps a frame or div. You'll have to fake being infected to see. Use HTTPS, or an SSH tunnel to a proxy of your own, to avoid it while being infected. If you can't be infected, then your own risk is if your ordinary traffic trips their infection detector.

They do send an e-mail, at first. If the traffic continues unabated, they redirect port 80 traffic (only) through a proxy which adds the notice to the server response (the web page you request). It doesn't break or tamper with anything else.

Personally, I don't see a problem with this, since, if you're allowing botnet traffic, you're already abusing the TOS (with or without your knowledge -- and after the notice, certainly ignorance isn't an excuse), and as such you're not really entitled to "unbroken" service, or any service at all for that matter. I think providing this notice is a good compromise.

Rather than making a separate post, I also want to address one of the points in TFS: "Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."

This is rather missing the point -- realistically, if any machine inside your network has been compromised, you should assume that the entire network has been compromised, and you should be inspecting/sanitizing/protecting all of the machines accordingly. You should likewise assume that all of your online accounts have been compromised, change your passwords from a trusted location, and check for any unauthorized activity.

I didn't say they don't deserve service, I said they don't have a right to it. What people deserve is only rarely related to what they get. Moreover, their presence on the network is necessarily degrading the experience for everyone else who's being responsible with their activity. Do responsible users *deserve* to be inundated with attacks from the machines of people who, for whatever reason, aren't "advanced user interested in computers and all things technical?" What if we were discussing dogs instea

Saying that those who don't fall into that category and get infected don't deserve any service because they've fallen afoul of their TOS is pig ignorant.

Time for a car analogy... is that a bit like saying that those who don't know how to drive well and are a danger to others don't deserve a license is pig ignorant? The problem here is not what these computers are doing to themselves, it's what they are doing to innocent victims on the net who know how to run their computers. Besides, even if something i

So: they don't have an e-mail address for you, or a phone number, and you throw out all postal mail you get from them. How do you suggest they contact you if there's a problem? I wouldn't be in favor of overuse of this method, but if you've got a 'bot running on your system, you're part of a problem and maybe something a little heavy-handed is warranted.

"So: they don't have an e-mail address for you, or a phone number, and you throw out all postal mail you get from them. How do you suggest they contact you if there's a problem?"Anyone that throws out mail from comcast can just as easily ignore the overlay. Besides, it's not comcast's responsibility to tell you if you have a bot running on your machine. This would be a little like your car putting an overlay on your windshield if your windshield wipers are in need of replacing, it's just ridiculous.

If you're infested with a botnet you are doing harm. In short infested computers create attackers and ISPs need to take responsibility for the attackers on their networks. I was more concerned that ISPs have NOT done this until now.

I say exponentially decay their bandwidth as if it was an RC circuit with a time constant of about three days. In about a week I'm sure they'll be calling to complain about the Internet speed...and then you'll have their undivided attention.

when people's connections are slow, they switch providers (because providers all advertise based on how fast their network is (of course without ever giving out numbers))what makes people call and complain is if you cut off their service.

Did you scan them with an AV scanner that was already on there? Most malware these days makes at least a cursory effort to avoid AV scanners, and if it didn't block it in the first place, what makes you think it'll detect malware that's already resident?

Comcast also is offering free subscriptions to Norton Security Suite for up to 7 computers per customer — including Mac versions of the Symantec suite.

At least most bots have the decency to let you use your own computer. Norton (and in my experience, McAfee) security suites are much less inclined to leave enough free resources for that to be possible.

...but if their diagnostics are accurate, it will only affect Windows users. And those people are fine with these things (botnets, spyware, constant intrusive advertising, confusing choices between virus checkers, weird popups, etc). No important work will be interrupted, just games, facebook and porn. The rest of us may or may not see slightly faster access, so... what's the bfd?

I think it's great that Comcast is trying to address the bot problem. But they picked a rather poor method IMHO. Surely it's obvious that you can't rely on the infected computer to relay the message... All the bot has to do is run a filtering proxy server and these HTTP insertions are long gone. The best solution would be to use another communication device, i.e. a telephone or letter. Besides, you may have a little old lady that only uses (non-ISP) e-mail twice a month, which might not get the message.

My own ISP does something similar, but a little better (again, IMHO). A few weeks ago I opened my wireless network because one of my devices was choking on WPA2. Sure enough, someone must have hopped on it and sent a fair bit of spam. So my ISP killed my connection and changed the DNS server so everything resolved to their "Call tech support now" page (although it took a while to for me to figure that out since I wasn't using their DNS server, but I digress). A quick call had me talking with a representative with an explanation, and I was reconnected. (Obviously I re-enabled WPA2 and blocked/logged port 25 at the router in case I really did get rooted.)

"Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."

If you call turning off your machines and running them one at a time to check each machine's response "difficult", then you can damn well pay the neighbor kid to come over and do it for you, just like you paid him to come over and get your Internet Explorer brand computers surfing on the infotube highway in the first place. While he's there, have him take out that "MOE - DEM" thingy. Those blinking lights are just slowing things down.

I think that most of the people who are qualified to setup and maintain their own router are also qualified enough to determine exactly which of their machines are infected. Of course there will always be a few people who knew just enough about setting up a router to be dangerous, but if the network is completely open and someone using their network is spewing out spam or other garbage, it might tip off the network owner that they should secure their network.

I think that most of the people who are qualified to setup and maintain their own router are also qualified enough to determine exactly which of their machines are infected

1) You go to best buy and plug $59 for a 4 port router box.2) You take it home and plug it into the wall.3) You plug the WAN port on the router to the cable or dsl box. - this is the hardest part to get right4) You plug your computers into the other ports and start accessing the internet

Coincidentally, I've noticed Comcast seems to be deploying IPv6 to home users. I was just helping a friend move into a new apartment, and I had the toughest time setting up the wireless router. Turned out that the router didn't support IPv6, so it wasn't able to connect to the cable modem. Right now, I've had her just wire up her laptop, but I'm going to see if different firmware makes the router usable.

Let's say I have an office with 100 machines and 5 public IP addresses. I have a few addresses with specific port forwarding set up for services to some servers and and the rest of the workstations share an external address. Hell, web traffic out of the aforementioned servers may go out the same external address as the workstations. They all share a common firewall that NATs the internal network. Why is this scenario bad?

the bot intelligence is coming from Damballa, an Atlanta-based security company that monitors botnet activity and identifies botnet control networks. If Damballa spots a Comcast Internet address that is phoning home to one of these botnet command centers, Comcast’s system flags that customer’s address for a service notice.

It's akin to the ISPs being told that someone is pirating music/movies on p2p. They aren't detecting it themselves, good for privacy I guess, bad for reliability.